Insufficient Transport Layer Protection.
- Use SSL / https to protect all authentication-related traffic.
- Set the server up to only use strong algorithms. See Securing Tomcat.
- Session cookies should have their "secure" flag set.
- Ensure the server SSL certificate is properly configured.
To configure Tomcat 4 so that it only uses strong encryption for SSL find the SSL Connector definition in server.xml and set the ciphers attribute:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector acceptCount="100"
className="org.apache.coyote.tomcat4.CoyoteConnector"
debug="0"
disableUploadTimeout="true"
enableLookups="false"
maxProcessors="150"
minProcessors="5"
port="8443"
scheme="https"
secure="true"
useURIValidationHack="false"
ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA">
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" keystoreFile="C:/ ... /conf/security/jdex.jks" keystorePass="********" protocol="TLS"/>
</Connector>
In Tomcat 5:
<!-- Define a SSL HTTP/1.1 Connector on port 443 -->
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile=".keystore"
keystorePass="*********"
ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" />